Merge branch 'main' into cds-compile-retry

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPPathInjectionQuery.qll

@@ -0,0 +1,87 @@
+/**
+ * Exported functions from CAP `cds.utils`.
+ * Functions described from:
+ * https://www.npmjs.com/package/@sap/cds?activeTab=code
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDSUtils
+
+abstract class UtilsAccessedPathSink extends DataFlow::Node { }
+
+abstract class UtilsControlledDataSink extends DataFlow::Node { }
+
+abstract class UtilsControlledPathSink extends DataFlow::Node { }
+
+abstract class UtilsExtraFlow extends DataFlow::Node { }
+
+/**
+ * This represents the data in calls as follows:
+ * ```javascript
+ * await write ({foo:'bar'}) .to ('some','file.json')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * {foo:'bar'}
+ * ```
+ */
+class WrittenData extends UtilsControlledDataSink {
+  WrittenData() { exists(FileWriters fw | fw.getData() = this) }
+}
+
+/**
+ * This represents the filepath accessed as an input for the data in calls as follows:
+ * ```javascript
+ * await copy('db/data').to('dist/db/data')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * 'db/data'
+ * ```
+ */
+class AccessedPath extends UtilsAccessedPathSink {
+  AccessedPath() { exists(FileReaderWriters fw | fw.getFromPath() = this) }
+}
+
+/**
+ * This represents the filepath where data is written or a file operation is performed in calls as follows:
+ * ```javascript
+ * await write ({foo:'bar'}) .to ('some','file.json')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * 'some'
+ * 'file.json'
+ * ```
+ */
+class ControlledInputPath extends UtilsControlledPathSink {
+  ControlledInputPath() {
+    exists(FileReaders fw | fw.getPath() = this)
+    or
+    exists(FileReaderWriters fw | fw.getToPath() = this)
+    or
+    exists(FileWriters fw | fw.getPath() = this)
+    or
+    exists(DirectoryWriters dw | dw.getPath() = this)
+    or
+    exists(DirectoryReaders dr | dr.getPath() = this)
+  }
+}
+
+/**
+ * This represents calls where the taint flows through the call. e.g.
+ * ```javascript
+ * let dir = isdir ('app')
+ * ```
+ */
+class AdditionalFlowStep extends UtilsExtraFlow {
+  AdditionalFlowStep() {
+    exists(PathConverters pc | pc.getPath() = this)
+    or
+    exists(PathPredicates pr | pr.getPath() = this)
+  }
+
+  DataFlow::CallNode getOutgoingNode() { result = this }
+
+  DataFlow::Node getIngoingNode() { result = this.(DataFlow::CallNode).getAnArgument() }
+}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDSUtils.qll

@@ -0,0 +1,145 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+
+/**
+ * An access to the `utils` module on a CDS facade.
+ */
+class CdsUtilsModuleAccess extends API::Node {
+  CdsUtilsModuleAccess() { exists(CdsFacade cds | this = cds.getMember("utils")) }
+}
+
+/**
+ * CDS Utils:
+ * `decodeURI`, `decodeURIComponent`, `local`
+ */
+class PathConverters extends DataFlow::CallNode {
+  PathConverters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["decodeURI", "decodeURIComponent", "local"]).getACall() = this
+    )
+  }
+
+  /**
+   * Gets the arguments to these calls.
+   */
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+/**
+ * CDS Utils:
+ * `isdir`, `isfile`
+ */
+class PathPredicates extends DataFlow::CallNode {
+  PathPredicates() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["isdir", "isfile"]).getACall() = this)
+  }
+
+  /**
+   * Gets the arguments to these calls.
+   */
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+/**
+ * CDS Utils:
+ * `find`, `stat`, `readdir`
+ */
+class DirectoryReaders extends DataFlow::CallNode {
+  DirectoryReaders() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["find", "stat", "readdir"]).getACall() = this
+    )
+  }
+
+  /**
+   * Gets the arguments to these calls.
+   */
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+/**
+ * CDS Utils:
+ * `mkdirp`, `rmdir`, `rimraf`, `rm`
+ */
+class DirectoryWriters extends DataFlow::CallNode {
+  DirectoryWriters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["mkdirp", "rmdir", "rimraf", "rm"]).getACall() = this
+    )
+  }
+
+  /**
+   * Gets the arguments to these calls.
+   */
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+/**
+ * CDS Utils:
+ * `read`
+ */
+class FileReaders extends DataFlow::CallNode {
+  FileReaders() { exists(CdsUtilsModuleAccess utils | utils.getMember(["read"]).getACall() = this) }
+
+  /**
+   * Gets the 0th argument to these calls.
+   */
+  DataFlow::Node getPath() { this.getArgument(0) = result }
+}
+
+/**
+ * CDS Utils:
+ * `append`, `write`
+ */
+class FileWriters extends DataFlow::CallNode {
+  FileWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["append", "write"]).getACall() = this)
+  }
+
+  /**
+   * Gets the arguments to these calls that represent data.
+   */
+  DataFlow::Node getData() {
+    this.getNumArgument() = 1 and
+    this.getArgument(0) = result
+    or
+    this.getNumArgument() = 2 and
+    this.getArgument(1) = result
+  }
+
+  /**
+   * Gets the arguments to these calls that represent a path.
+   * Includes arguments to chained calls `to`, where that argument also represents a path.
+   */
+  DataFlow::Node getPath() {
+    this.getAMemberCall("to").getAnArgument() = result
+    or
+    this.getNumArgument() = 2 and
+    this.getArgument(0) = result
+  }
+}
+
+/**
+ * CDS Utils:
+ * `copy`
+ */
+class FileReaderWriters extends DataFlow::CallNode {
+  FileReaderWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["copy"]).getACall() = this)
+  }
+
+  /**
+   * Gets the arguments to these calls that represent a path from which data is read.
+   */
+  DataFlow::Node getFromPath() { this.getArgument(0) = result }
+
+  /**
+   * Gets the arguments to these calls that represent a path to which data is written.
+   * Includes arguments to chained calls `to`, where that argument also represents a path.
+   */
+  DataFlow::Node getToPath() {
+    this.getAMemberCall("to").getArgument(_) = result
+    or
+    this.getArgument(1) = result
+  }
+}

javascript/frameworks/cap/test/models/cds/utils/utils.expected

@@ -0,0 +1,38 @@
+| utils.js:5:21:5:30 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:7:31:7:40 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:9:18:9:27 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:13:17:13:21 | 'app' | 'app': additional flow step |
+| utils.js:15:19:15:32 | 'package.json' | 'package.json': additional flow step |
+| utils.js:17:22:17:35 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:19:26:19:39 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:21:20:21:33 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:23:20:23:33 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:25:14:25:22 | 'db/data' | 'db/data': controlled data sink |
+| utils.js:25:28:25:41 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:26:14:26:22 | 'db/data' | 'db/data': controlled path sink |
+| utils.js:26:25:26:38 | 'dist/db/data' | 'dist/db/data': controlled data sink |
+| utils.js:28:12:28:20 | 'db/data' | 'db/data': accessed path sink |
+| utils.js:28:26:28:39 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:29:12:29:20 | 'db/data' | 'db/data': accessed path sink |
+| utils.js:29:23:29:36 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:31:13:31:26 | { foo: 'bar' } | { foo: 'bar' }: controlled data sink |
+| utils.js:31:32:31:47 | 'some/file.json' | 'some/file.json': controlled path sink |
+| utils.js:32:13:32:28 | 'some/file.json' | 'some/file.json': controlled path sink |
+| utils.js:32:31:32:44 | { foo: 'bar' } | { foo: 'bar' }: controlled data sink |
+| utils.js:34:14:34:19 | 'dist' | 'dist': controlled path sink |
+| utils.js:34:22:34:25 | 'db' | 'db': controlled path sink |
+| utils.js:34:28:34:33 | 'data' | 'data': controlled path sink |
+| utils.js:35:14:35:27 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:37:13:37:18 | 'dist' | 'dist': controlled path sink |
+| utils.js:37:21:37:24 | 'db' | 'db': controlled path sink |
+| utils.js:37:27:37:32 | 'data' | 'data': controlled path sink |
+| utils.js:38:13:38:26 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:40:14:40:19 | 'dist' | 'dist': controlled path sink |
+| utils.js:40:22:40:25 | 'db' | 'db': controlled path sink |
+| utils.js:40:28:40:33 | 'data' | 'data': controlled path sink |
+| utils.js:41:14:41:27 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:43:10:43:15 | 'dist' | 'dist': controlled path sink |
+| utils.js:43:18:43:21 | 'db' | 'db': controlled path sink |
+| utils.js:43:24:43:29 | 'data' | 'data': controlled path sink |
+| utils.js:44:10:44:23 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:52:20:52:28 | 'db/data' | 'db/data': controlled data sink |

javascript/frameworks/cap/test/models/cds/utils/utils.js

@@ -0,0 +1,58 @@
+const cds = require("@sap/cds");
+
+const { decodeURI, decodeURIComponent, local, exists, isdir, isfile, read, readdir, append, write, copy, stat, find, mkdirp, rmdir, rimraf, rm } = cds.utils
+
+let uri = decodeURI("%E0%A4%A") // taint step
+
+let uri2 = decodeURIComponent("%E0%A4%A") // taint step
+
+let uri3 = local("%E0%A4%A") // taint step
+
+let uri4 = exists("%E0%A4%A") // NOT a taint step - returns a boolean
+
+let dir = isdir('app') // taint step
+
+let file = isfile('package.json') // taint step
+
+let pkg = await read('package.json') // sink
+
+let pdir = await readdir('package.json') // sink
+
+let s = await stat('package.json') // sink
+
+let f = await find('package.json') // sink
+
+await append('db/data').to('dist/db/data')  // sink
+await append('db/data', 'dist/db/data')  // sink
+
+await copy('db/data').to('dist/db/data')  // sink
+await copy('db/data', 'dist/db/data')  // sink
+
+await write({ foo: 'bar' }).to('some/file.json') // sink
+await write('some/file.json', { foo: 'bar' }) // sink
+
+await mkdirp('dist', 'db', 'data') // sink
+await mkdirp('dist/db/data') // sink
+
+await rmdir('dist', 'db', 'data') // sink
+await rmdir('dist/db/data') // sink
+
+await rimraf('dist', 'db', 'data') // sink
+await rimraf('dist/db/data') // sink
+
+await rm('dist', 'db', 'data') // sink
+await rm('dist/db/data') // sink
+
+function wrapperouter() {
+    const temp = append
+    wrapperinnermid(temp)
+}
+
+function wrapperinnermid(temp) {
+    const a = temp('db/data') // sink
+    wrapperinner(a)
+}
+
+function wrapperinner(a) {
+    a.to('dist/db/data')  // sink - [FALSE_NEGATIVE] - rare case as CAP is a fluent API
+}

javascript/frameworks/cap/test/models/cds/utils/utils.ql

@@ -0,0 +1,13 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.CAPPathInjectionQuery
+
+from DataFlow::Node node, string str, string strfull
+where
+  node.(UtilsControlledPathSink).toString() = str and strfull = str + ": controlled path sink"
+  or
+  node.(UtilsAccessedPathSink).toString() = str and strfull = str + ": accessed path sink"
+  or
+  node.(UtilsControlledDataSink).toString() = str and strfull = str + ": controlled data sink"
+  or
+  node.(UtilsExtraFlow).toString() = str and strfull = str + ": additional flow step"
+select node, strfull